Tuesday, April 15, 2014

RDP to Windows 2012 Server - The Local Security Authority cannot be contacted.

I recently came across a problem where if you attempted to RDP to a Windows 2012 server you received the following error:

An authentication error has occurred.
The Local Security Authority cannot be contacted

Remote computer: hostname

Turns out by default we were building 2012 servers with NLA turned on. This caused a few issues with RDP connections from our VPN support accounts, and of course RDP'ing to machines when your password has expired (or set to 'User must change password at next login').

Now this is a security vs. convenience trade-off so you need to decide if turning this off is the right thing to do in your environment. For us, turning it off on a couple of key management servers would reduce the nightmare of admins being prevented from logging in when their passwords expire.

To do this, Windows+R (to get a run box) and execute sysdm.cpl This will open the System Properties screen. Click the Remote tab at the top, uncheck "Allow connections only from computers running Remote Desktop with network Level Authentication (Recommended)" and click Okay.

Wednesday, April 2, 2014

Deploying the Puppet Agent on Solaris 9

I manage ~300 UNIX/Linux servers, responsible for serving up POS sessions at our stores. Around 200 of these are Solaris 9. The following is how I automated the deployment of the Puppet agent onto these Solaris 9 servers. If anyone finds this useful but has some questions, feel free to ask. There's not a lot of info out there on Solaris 9 Puppet deployment, so this did take a little bit of research to accomplish.

A few points:

* Our Solaris 9 server's hostname does not match our DNS name.
* We use an authenticated proxy solution, so the local script will set the http_proxy env variable for this reason (pkgutil likes to check inventory before installing)
* I have included all of the files referenced below in one bundle.tar
* The patch 113713-29 was required for OpenCSW to work (to allow me to install puppet)
* During the rollout phase, I turned auto-signing on, on my Puppet Master. To do this, add the following line to /etc/puppet/puppet.conf on the master server, under [master]:
autosign = true
* Both scripts below are required to install the puppet agent.

---- remote-solaris9-install.sh ----

# Puppet OpenSource Client Installation script for Solaris 9
# Author Daniel Eather
# Usage for x in $(cat server_list); do ./remote-install-solaris-9.sh ${x}; done


# Check we have a hostname specified as an argument
if [ "$#" == 0 ] || [ "$#" -gt 1 ]
                echo "ERROR: You must only supply the hostname as an argument."
                exit 1

# Store and convert hostname to lower case (required for custom certname variable in agent's puppet.conf)
HOSTNAME=`echo $HOSTNAME | tr '[:upper:]' '[:lower:]'`

# Time stamp
timeStamp=`/bin/date \+\%Y\%m\%d\%H\%M\%S`

# Check Puppet Agent is not already installed
checkPuppet=$(ssh root@${HOSTNAME} "ls /opt/csw/bin/puppet")
if [ $checkPuppet ]
                echo "Puppet Agent is already installed on this system."
                exit 1
                echo "Puppet Agent not found on system."

# Generate default puppet config file
echo "# Puppet OpenSource Client Configuration File" > /tmp/puppet.conf.tmp
echo "# Author: Daniel Eather" >> /tmp/puppet.conf.tmp
echo "# Date:   ${timeStamp}" >> /tmp/puppet.conf.tmp
echo "" >> /tmp/puppet.conf.tmp
echo "[agent]" >> /tmp/puppet.conf.tmp
echo "    certname=${HOSTNAME}" >> /tmp/puppet.conf.tmp
echo "    node_name=${HOSTNAME}" >> /tmp/puppet.conf.tmp

# Copy over required files
scp 113713-29.zip root@${HOSTNAME}:/var/spool/pkg/
scp pkgutil-sparc.pkg root@${HOSTNAME}:/tmp/
scp local-solaris9-install.sh root@${HOSTNAME}:/tmp/
scp /tmp/puppet.conf.tmp root@${HOSTNAME}:/tmp/
scp sol9_puppet_dep.tar root@${HOSTNAME}:/tmp/

# Execute install script locally on server
ssh root@${HOSTNAME} "chmod +x /tmp/local-solaris9-install.sh"
ssh root@${HOSTNAME} "/tmp/local-solaris9-install.sh"

---- local-solaris9-install.sh ----


# Set http proxy environment variable

# Unpack and install patch 113713-29
cd /var/spool/pkg; unzip /var/spool/pkg/113713-29.zip
yes | patchadd /var/spool/pkg/113713-29

# Install pkgutil
yes | pkgadd -d /tmp/pkgutil-sparc.pkg all

# Unpack install files for puppet, to save downloading them each time
mv /tmp/sol9_puppet_dep.tar /var/opt/csw/pkgutil/packages/
cd /var/opt/csw/pkgutil/packages/; tar xvf sol9_puppet_dep.tar

# Install Puppet
/opt/csw/bin/pkgutil -i -y  puppet

# Drop in puppet agent configuration file
mv /tmp/puppet.conf.tmp /etc/puppet/puppet.conf

# Connect to Puppet master and authenticate
/opt/csw/bin/puppet agent --waitforcert 60 -t

# Start Puppet
/etc/init.d/cswpuppetd start

# Cleanup large dependency file
rm -f /var/opt/csw/pkgutil/packages/sol9_puppet_dep.tar